New in September 2010

As if this site doesn’t already leave lying around in various states of completion
more than enough lists of functions exported from this or that module through its
many different versions, I have this month started another. I had always dismissed
WININET.DLL from close attention on the assumption that it’s general-purpose Internet-access
functionality that likely works as documented. My immediate reason for looking now
was to see what my methods of analysis might usefully add to what others have discovered
of the INDEX.DAT file format, especially to support forensic evidence. To pick the
low-hanging fruit for that was diverting enough, and I really would like to do the
job thoroughly. Still, the present sketch is enough to show what could be aimed
for in computer forensics if its practitioners want that what they deduce as evidence
is based on more certain knowledge than can be got from any amount of collecting
impressions from observation, however cleverly. If you want
to know a file format and you have the software that defines the format, then the
knowledge you seek is in that software’s code. Anything you learn from any amount
of observing anything cannot be more than second best.

It soon became clear that a study of WININET has other merit, such that I ought
to have covered it long ago just as part of an occasional mission to record for
history what the integration of Windows and Internet Explorer meant in the software.
Though Microsoft documents WININET as providing Network Protocols
for Windows, its origin is plainly in Internet Explorer, it still has Internet Explorer
version numbering and it surely is still being developed as an Internet Explorer
component. So why not document it openly and honestly as a piece of Internet Explorer
that Windows can’t do without, for better or worse, even when users think to replace
Internet Explorer with some competing web browser? Though many of its exported functions
are documented, more than a handful aren’t, and the many that are support numerous
undocumented arguments and flags. The few for which I here venture some alternative
documentation turn out to be unusually buggy. Perhaps they’re just not used much.

Anyway, WININET becomes yet another topic that looks like it might usefully be
studied properly, if I can ever find a way to fund the work.